Cyber & Data Risk Insurance

Focused on the Business of InsuranceSM © Nelson Levine de Luca & Hamilton, LLC

HEALTHCARE HIGHLIGHTS 6th Annual Advanced Forum on Cyber & Data Risk Insurance

September 27, 2012

Presented by:

Kimberly B. Holmes, Esq. Chubb Group of Insurance Companies

Christopher Keegan Senior Vice President, Willis

John F. Mullen, Esq. Nelson, Levine, de Luca & Hamilton

Focused on the Business of InsuranceSM

Healthcare - What We Know

• Highly regulated industry

– HIPAA

– HITECH

– State data privacy and breach notification laws

• Business Associate requirements are a moving target

– Third party due diligence has always been a problem

• Covered Entities held to a higher standard

– Your customers simply expect more – and they vote with their feet when they don’t get it


What’s Here Now and What’s On the Horizon

• Electronic Medical Records (EMRs)

– Operation/Implementation Challenges

• Fair Information Principles Will Apply

• Health Insurance Exchanges (HIEs)

– HIPAA Compliance Challenges

• Who is and isn’t a Covered Entity?

• Operation/Implementation Challenges

– States will vary in Compliance protocols


EMR and HIPAA

PAA R•HIPAA Requirements


EMRs – The New Reality

• The shift toward electronic health records has gained great momentum

• Meaningful use, and interoperability, are big concerns – more data in motion, more data at risk

• The first round of EHR incentive payments for meaningful use occurred

earlier this year


EMR—Compliance Costs

• Secure conversion • Secure storage • Administrative safeguards • Technical safeguards • Physical safeguards


EMR—Cost of Non-compliance

• Exposure to OCR/AG Actions

• Fines

• Punitive damages


EMR—Electronic Security

• During conversion

• Physical security of paper documents

• Secure electronic transmission

• Secure electronic storage

• Secure conversion facility

• After conversion

• Secure destruction of paper records

• Secure electronic storage


Health Insurance Exchanges

• Required under Affordable Care Act (ACA) to be implemented by Jan. 2014

• Some states will operate themselves

• Some states will establish through partnership with federal government and its contractors

• Facilitate the purchase of health insurance coverage by small businesses and individuals

• Determine eligibility and reviewing plans for compliance with required benefits packages

• Facilitating online availabilty of plans

• Processing Enrollment


Health Insurance Exchanges (Cont’d.)

• To date, most HIEs have been set up as government or quasi-government entities and are thus NOT “Covered Entities” under HIPAA

• Participating Insurers (Qualified Health Plans) ARE still Covered Entities

• Must continue to comply with HIPAA as well as any new privacy/security requirements imposed by the exchanges on their participating plan

• HHS final rule established no single minimum standards, but directed HIEs to develop privacy/security policies based on FTC Fair Information Practice Principles


• HITECH Act

– Extends HIPAA to “business associates” of covered entities.

• Eg. claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management

– Permits State Attorneys General to bring civil actions in federal court.

• First AG suit filed against Health Net Connecticut in January 2010 alleging failure to properly encrypt portable data (violating HIPAA) and failure to timely provide notice (suit settled: $250K fine, 2 ears credit monitoring, additional $500K fine if person suffers ID theft as result of breach)

– Civil monetary penalties range from $50K - $1.5m per violation , per calendar year.

– Provides for mandatory audits by the Sec. of HHS to ensure data security policies and procedures are compliant, and implemented.

Compliance & Notice Regulations


Compliance & Notice Regulations

• HITECH Act – Civil Penalties

– Cignet Health – HHS fined Cignet $4.3 million (Feb. 2011)

• Cignet failed to provide patients access to their own health information as required by HIPAA (fine $1.3 mil) and failed to cooperate with HHS’s investigation (fine $3 mil)

• First fine by HHS for violations of HIPAA Privacy Rule provisions

– Massachusetts General Hospital – Settlement with HHS in amount of $1 million (Feb. 2011)

• Settlement for alleged violations of HIPAA (paper records lost on subway)


HealthNet - Case Study

• May of 2009: Portable computer disk drive with 446,000 private records lost/stolen from HealthNet Connecticut.

• November 2009: HealthNet goes public about the breach, notifying the affected individuals and the Attorney General.

• January 2010: Connecticut Attorney General files suit against HealthNet alleging:

– Improper handling of the breach event

– Failure to timely notify affected individuals and AG’s office

– 12 violations of HIPAA privacy and security rules


HealthNet - Case Study

• OUTCOME: July 7, 2010 HealthNet Settles Suit

• HealthNet will pay CT $250,000 in statutory damages and implement a corrective action plan.

• If misuse of the data is established, such as actual identity theft, Health Net will pay CT an additional $500,000 in statutory damages.

• HealthNet incurred costs of over $7 Mil to forensically investigate, provide notification and credit monitoring…


RECENT HIPAA/HITECH BREACHES

• Massachusetts Eye and Ear – September, 2012 • Alaska Department of Health and Human Services – June, 2012 • Phoenix Cardiac Surgery – April, 2012 • Blue Cross Blue Shield of Tennessee – March, 2012 • Health Net Connection—January 2010


Class Action Claims • Litigation

• Breach guidance • Investigation • Notification • E-discovery • Litigation prep • Contractual review • Defense (MDL?)

• Plaintiffs Demands • Fraud reimbursement • Credit monitoring • Identity monitoring • Civil fines and/or penalties • Time


Class Action—Tricare

• September, 2011: Backup tapes containing PHI of 4.9m patients treated at San Antonio military facilities between 1992 and September 7, 2011 stolen from vehicle of Tricare contractor Science Applications International Corp. employee

• PHI—names, addresses, phone numbers, clinical notes, laboratory tests, prescription information, social security numbers

• September 14, 2011: Science App. notifies Tricare

• September 29, 2011: Tricare begins patients notifications • Tricare did not offer credit monitoring


Tricare, cont’d

• October 11, 2011: lawsuit filed, alleging, among other things: • Tricare operations manual requires notification no later than ten days

after discovery of breach • Tricare was repeatedly informed of recurring, systemic, and

fundamental deficiencies in its information security but failed to effectively respond

• Lawsuit seeks an award of $4,900,000,000--$1,000 for each affected individual


Class Action—Sutter Health

• October 15-16, 2011: Sutter Health’s administrative offices burglarized, and a desktop PC, among other things, was stolen, containing:

• Names, addresses, dates of birth, phone number, and email of 3.3m Sutter

Physican Services patients that were treated between 1995 and January, 2011 • Information on medical diagnosis and procedures for 943,000 Sutter Medical

Foundation patients treated between 2005 and January, 2011

• October 17, 2011: theft reported to police • November 15, 2011: Sutter Health began notifying affected individuals • November 16, 2011: first lawsuit filed; twelve filed thus far


So What Else Keeps HIPAA Privacy Officers Up at Night?

• Employee Clinics • Cloud Computing • Social Media Challenges • Encryption of Portable Devices and Tracking—Where is the PHI?


Questions?

Kimberly B. Holmes, Esq.

[email protected]

(860) 408-2017

Christopher Keegan

[email protected]

(212) 915-8276

John F. Mullen, Esq.

[email protected]

(215) 358-5154

mailto:[email protected]



Cyber & Data Risk Insurance

Design

Transcript of Cyber & Data Risk Insurance